DNS hijacking by ISP's.

I've determined my ISP is redirecting all Google searches from my home to their hosted Google. I consider this a privacy violation. Regardless of what DNS server/service I switch to, (at the router level) all Google activity is being redirected to ISP servers. Actually the full route is ISP->Germany->ISP->. To do this it is apparent they've got a static route setup for this. I've reached out to other engineers I know for a discussion on this, including a Pentest/Spyware engineer at one of the bigger pentest firms. What worries me is how they are redirecting if I am changing the DNS. I've checked caches for poisoning, and cannot find anything unusual. It looks like they have static routes setup for specific traffic.

EFF a few years ago reported widespread search hijacking by ISPs. But nothing much has been reported since then.

Further investigation, it appears they are doing this through Port 53 interception, to force DNS calls, even DNS configured to external servers, to push through Port 53 for redirection. I consider this highly unethical, and intrusive.

That's an option but I read DNSCrypt isn't developed any longer? I am going to examine what I can do from the UTM/Appliance level. Also I need to test if they are messing with HTTPS, then we have a real issue, possibly even a lawsuit in order. Apparently most of the ISPs have been implicated in doing this at one point or another, or still doing it. It looks like they hijack Port 53, create an invalid response, fallback to NXDOMAIN, then inject their own DNS into it. If what I gather is correct.

I called my provider, who claims to have 'no knowledge' of search engine redirects/hijacks. I informed them that this is considered grey area, and in some cases illegal, and a violation of RFC specifications, and that there could be repercussions if they do it, and I go public with it. Level 1 there 'talked' to someone else (probably L2), who said they would 'adjust stuff' on their end and see if it fixes it..

If it does fix it, then I will assume they realize they got 'caught' and turned off Port 53 NXDOMAIN hijacking for me. If it does not magically become fixed, then I will assume they want me to press forward with disclosure, and exploration of resolutions.

It's hard to tell from first post if searches are redirected to some other server or only DNS requests are redirected to other (ISP's) servers. If second option is true than user would still reach legit Google server but domain resolution would happen on ISP server instead of a server configured by user. Certificate wouldn't show any problems.

EDIT: I've read first post again and I don't know if the route for http/https traffic is what bothers OP.

This appears to be a serious issue, as my ISP has been implicated running malicious DNS servers. This may also help explain why my UTM filters thousands of malicious packet injections a day. However, changing DNS servers doesn't fix it because ISP's are using NXDOMAIN failover, and Port 53 hijacking to do it now.

The Microsoft/Polytechnic research named names, compiling a list of nine ISPs who last year seemed to purposely run the malicious DNS servers: Hughes, Frontier, Cavalier, FiberNet, Spacenet, Onvoy, WOW [Wide Open West], Cincy B., and SDN. The paper noted that end users can switch from their ISP-provided DNS server to a public server (Google runs such servers, for instance, at 8.8.8.8 and 8.8.4.4) to avoid the problems. But there are other avenues for action; the paper also noted that "complaints can be made to regulatory agencies or legal actions can be taken."

Here's a test to run from a command prompt:nslookup -type=txt which.opendns.com. 208.67.220.220

If the result is "I am not an OpenDNS resolver" then DNS is being intercepted. If result is of the form "#.aaa" where "#" is any number and "aaa" is any three letters, then DNS is not being intercepted.

Here's a test to run from a command prompt:nslookup -type=txt which.opendns.com. 208.67.220.220

If the result is "I am not an OpenDNS resolver" then DNS is being intercepted. If result is of the form "#.aaa" where "#" is any number and "aaa" is any three letters, then DNS is not being intercepted.

That's not entirely true. In my case they are hijacking it by port, and possibly with keyword inspection. My DNS resolves correctly, but I don't resolve to any of my DNS servers, which means they are injecting it somewhere.

That's not entirely true. In my case they are hijacking it by port, and possibly with keyword inspection. My DNS resolves correctly, but I don't resolve to any of my DNS servers, which means they are injecting it somewhere.

I just got off of the phone with Level-3 support at my ISP. You can tell he's not the type that generally talks to customers. He generally did what I would expect, assumed I was a dumb customer, and told me it's Chrome doing it, then saying 'All Google searches look fine!".. Then I explained it LOOKS like google, but if you check IP addresses you will see it's a Google Redirection to a hosted server via DNS hijacking. Once we got all of that out of the way he said 'We wouldn't do that, it would be illegal'. Then I pointed out the fact that this ISP has done similar things, and has a lawsuit over deep packet injection data mining. He then said he would have to talk to other people there, and find out if this really is happening, and if so - why.

In effect, they are spying - on a big scale - and incredibly, people at the company don't seem to have a clue about this.

Him - "Sir, we discovered some ports being blocked and redirected."
.... (Isn't this what I have been saying for... Months?)
Me- "Yes? On what gear?"
Him - "Probably your gear"
Me- "Oh wait, let me DMZ and check... Ok same results, I have no ports closed now, GRC verifies all my ports are wide open, and everything is in passthrough mode"
Him - "Well some port is closed"
Me - "What port?"
Him - "A port google and search engines use"
Me - "You mean Port 80(http), 443(https), and 53(dns)? Those are open now, we already went through this."
Him - "Well the only thing I can tell from here is someone has ports closed that Google expects, causing it to re-route traffic."
Me - "Reroute to... Wait for it.. Your PAXFIRE injected fraudulent, emulated search engine servers?"
Him - "Well, all I will say is, it's being redirected because of port closure, and I don't know where, how or why. But Google searches from your home are going to a fake Google."
Me - "Alright, now that we've established it's not on my gear. Where is it?"
Him - "I don't know. I will forward this to our higher level engineers."
Him – “I need you to archive all of your logs, data, and screenshots, and send those to our support email along with the type of gear you have in your home.” (LOL? Sure Buddy, I’ll get right on that.. Why not give you the keys to my house?”
End of conversation.

So far, I am getting nowhere.. I cannot believe they employ engineers that aren't smart enough to see this happening. I run so many traces, sniffs, and packet inspections at work that I would detect in minutes if something was amiss. Do these guys just sit in cubicles surfing porn?

Well it certainly looks like this is a highly corrupt ISP... Not the first time they've been in trouble.

http://www.cedmagazine.com/news/2009/12/report:-wow-facing-spyware-allegations-in-federal-court
WOW, the nation’s 12th-largest MSO, allegedly used spyware to “inject advertisements into the Web pages users visited, transmit code that caused undeletable tracking cookies to be installed on users' computers, and forge the 'return addresses' of user communications so their tampering would escape the detection of users' privacy and security controls," according to the class-action suit.

Also, it appears some other folks have started to discover traffic anomalies with WideOpenWest. Not to the level I have been finding it, but nevertheless, they have. I've discovered WOW is also operating Zerocole Boxes, and that's part of the hijacking, injection efforts, and likely why my ZyXEL goes insane over my WOW traffic, picking it to bits with thousands upon thousands of packet modification alerts (and blocks).

Rootwyrm accurately points out that Xerocole is serving up malware to WOW customers, which explains the.. 250,000 pieces of malware blocked at the packet level in the last 25 days. Bottom line - WOW has to be dropped if you use them otherwise your privacy is trashed, and your systems are at risk, and this is provable.

Are you using any ISP hardware, like a router or modem? Cause I wonder if it's one of those doing it.

But like others are saying, test with a VPN. It really wouldn't surprise me that it's on the ISP's end. If not a conspiracy, then just incompetence on their part.

edit

Don't you just love having to explain yourself to "tech support" when you know it's not you, it's them? And then they try to say it's you, like you're an 80 year old women? I love that. I love it so much that I'd sooner smash my phone and never use one again.

Sprint mobile does this too, i think on 3G but not on 4G Wimax for some reason (or vice versa). i tried to figure out how to change the port # for DNS requests to 5353 and use either German or Swiss Privacy Foundation as DNS server but i don't think its possible without installing a program like Acrylic DNS Proxy or something similar.

I will update this soon with all of the detail. I have concluded my investigation, and I am forced to change ISP's. I took it to Level 4 support, the only IT higher there is the regional IT director. My UTM enforces DNS, logs verify my DNS is being handled by OpenDNS, yet I am still being hijacked. We've determined that my ISP is creating an artificial situation where DNS resolves fail then fall back to NXDOMAIN, then redirects to a malicious DNS server. Google calls are intercepted, and sent to a forged malicious Google where they serve up domains they want based on Google cache results using XEROCOLE boxes, then modifications of packets/headers take place by Xerocole with insertion of malicious code. The malicious intercepts are directed to PAXFIRE servers in the chain as well. Deep Packet Inspection takes place, with insertion of identifiable code. My security tools pick these up as malicious inserts, or fraudulent packets.

Paxfire - some report, is an NSA shell company used to harvest data under the guise of advertising. They still exist, and my provider is still using them, regardless of what they call themselves now;https://en.wikipedia.org/wiki/Paxfire

Both companies are basically shell companies, with a lot of fake addresses, and are known Typo Squatters. They abuse the mistyped URL failover by CREATING a situation where your LEGIT typed URL's are forced to failover, which they then hijack. Very clever abuse of a system designed to fix problems.

The implications are astounding..

1) My ISP (10th largest in Nation) is inserting malicious code into headers/packets.
2) They are hijacking legit typed URL's forcing a redirect situation. (Malware Like Hijacking)
3) They are inserting tracking information into peoples computers, and traffic.
4) They are snooping on all activity, especially searches.

I've found this to be one of the most interesting threads in a while. I use a small--and expensive--ISP that prides itself on its reliability, ethics and integrity. I could have more bandwidth for less money from the only other ISP available here but they are notorious for being sloppy and having outages that last days. I never thought about what else they could be doing with the data that passes though their system.

I can tell you that running a VPN solves this - obviously.. But I am not setting up VPN's on every device in the home, or murdering my connection. I have now just verified that ZenMate Chrome prevents this. My UTM logs show no diversions, malware insertion, packet modification activity of any kind while running ZenMate, so that appears to be a simple, effective solution. That is if you trust ZenMate, and it is fast enough for you?

For me principle alone dictates I expose this company, and ditch them as my ISP.

If you are using equipment (modem & router) that they provided for you, I'd ditch that first of all and buy your own equipment. Configure it properly. Use an outbound firewall that disallows any communication between your router and your box. Use reputable DNS servers like the Swiss Privacy Foundation, Chaos Computer Club, or Comodo Secure DNS. Or DNS Crypt/Open DNS as others have said. And a reputable VPN too if you want to (Mullvad, iVPN, AirVPN).